netfilter conntrack requires traffic to be successfully forwarded to
operate correctly. If you drop traffic then netfilter assumes that packet
was dropped and never forwarded.
If you are mirroring then you must never drop or reject any packets as
this will disturb the connection tracking, but you can make whatever other
decisions on the packets you like.
Ah. This is a point where my assumptions has failed. :)
So, when I can't use DROP in iptables, can I do it with ebtables instead? That is, is it possible to mark packets with iptables and drop them with ebtables? Something like this:
iptables -t mangle -A PREROUTING -m conntrack --ctorigdst <int> -j ACCEPT
iptables -t mangle -A PREROUTING -j MARK --set-mark 1
ebtables -t nat -A POSTROUTING --mark 1 -j DROP
I know that this exact example does not work, but not why it fails.
I'm starting to believe that what I want to achieve here is impossible with iptables/ebtables, and any ideas on what I should try/explore would me most welcome.
mike -- "It is a lesson which all history teaches wise men, to put trust in ideas, and not in circumstances." --Ralph Waldo Emerson
